iOS Developers Warned About Taking Shortcuts
Comments Off on iOS Developers Warned About Taking Shortcuts
Slapdash developers have been advised not to use the open source JSPatch method of updating their wares because it is as vulnerable as a soft boiled egg, for various reasons.
It’s FireEye that is giving JSPatch the stink eye and providing the warning that it has rendered over 1,000 applications open to copy and paste theft of photos and other information. And it doesn’t end there.
FireEye’s report said that Remote Hot Patching may sound like a good idea at the time, but it really isn’t. It is so widely used that is has opened up a 1,220-wide iOS application hole in Apple users’ security. A better option, according to the security firm, is to stick with the Apple method, which should provide adequate and timely protection.
“Within the realm of Apple-provided technologies, the way to remediate this situation is to rebuild the application with updated code to fix the bug and submit the newly built app to the App Store for approval,” said FireEye.
“While the review process for updated apps often takes less time than the initial submission review, the process can still be time-consuming and unpredictable, and can cause loss of business if app fixes are not delivered in a timely and controlled manner.
“However, if the original app is embedded with the JSPatch engine, its behaviour can be changed according to the JavaScript code loaded at runtime. This JavaScript file is remotely controlled by the app developer. It is delivered to the app through network communication.”
Let’s not all make this JSPatch’s problem, because presumably it’s developers who are lacking.
FireEye spoke up for the open source security gear while looking down its nose at hackers. “JSPatch is a boon to iOS developers. In the right hands, it can be used to quickly and effectively deploy patches and code updates. But in a non-utopian world like ours, we need to assume that bad actors will leverage this technology for unintended purposes,” the firm said.
“Specifically, if an attacker is able to tamper with the content of a JavaScript file that is eventually loaded by the app, a range of attacks can be successfully performed against an App Store application.
Courteys-TheInq
Can OSX Make Macs Vulnerable To Rootkits?
Comments Off on Can OSX Make Macs Vulnerable To Rootkits?
The software genii at Apple have redesigned their OSX software to allow malware makers to make designer micro-software that can infect Macs with rootkits.
Obviously the feature is one that Apple software experts designed specifically for malware writers, perhaps seeing them as an untapped market.
The bug in the latest version of Apple’s OS X allows attackers root user privileges with a micro code which could be packed into a message.
Security researcher Stefan Esser said that this was the security hole attackers regularly exploit to bypass security protections built into modern operating systems and applications.
The OS X privilege-escalation flaw stems from new error-logging features that Apple added to OS X 10.10. Plainly the software genii did not believe that standard safeguards involving additions to the OS X dynamic linker dyld applied to them because they were protected from harm by Steve Job’s ghost.
This means that attackers to open or create files with root privileges that can reside anywhere in the OS X file system.
“This is obviously a problem, because it allows the creation or opening (for writing) of any file in the filesystem. And because the log file is never closed by dyld and the file is not opened with the close on exec flag the opened file descriptor is inherited by child processes of SUID binaries. This can be easily exploited for privilege-escalation,” Esser said.
The vulnerability is present in both the current 10.10.4 (Yosemite) version of OS X and the current beta version of 10.10.5. Importantly, the current beta version of 10.11 is free of the flaw, an indication that Apple developers may already be aware of the vulnerability.
An Apple spokesman said that engineers are aware of Esser’s post of course they did not say they would do anything about it. They will have to go through the extensional crisis involved in realising that their product was not secure or perfect. Then the security team will have to issue orders, signed in triplicate, sent in, sent back, queried, lost, found, subjected to an internal inquiry, lost again, and finally bury it in soft peat for three months and recycled as firelighters.
Microsoft Unveils ‘Send’ Mobile App
Microsoft unveiled a mobile-minded alternative to email that’s focused primarily on short, quick messages.
Named Send, the new tool aims to deliver a simple experience much like that offered by text messaging or instant messaging software but without the need to know a co-worker’s mobile number or username. Instead, Send lets users quickly fire off a message to any co-worker using just their email address; no subject line, salutations or signatures are required.
“On my way,” might be one example, or “Are you in the office today?”
The app connects to Office 365 business and school email accounts to find frequent and recent contacts; users need only tap on one to start a conversation. A “Quick Reply” option allows for speedy responses.
That Office 365 connection, meanwhile, also means conversations are synced with Outlook, letting users continue them from anywhere. Messages sent using Send are treated internally like any other work email and comply with an organization’s email compliance policies, Microsoft said.
Send is now available free for iPhone through the Microsoft Garage in the U.S. and Canada. Versions for Windows Phone and Android are coming soon, as are additional IT controls. Currently the app works with Office 365 business and school email accounts, but Microsoft plans to make it more broadly available in the coming months, it said.
Can Android AT Work Entice The Enterprise?
March 9, 2015 by admin
Filed under Around The Net
Comments Off on Can Android AT Work Entice The Enterprise?
Google Inc rolled out an initiative to make smartphones running its Android software more appealing to corporations, a move that could help extend the Internet technology giant reach into workplaces.
Google said on its official blog that its Android for Work program will provide improved security and management features for corporations that want to give their employees Android smartphones. Smartphones supported by the new initiative will be able to keep an employee’s work and personal apps separate, and a special Android for Work app will allow businesses to oversee key tools such as email, calendar and contacts.
Google said it is partnering with more than two dozen companies including Blackberry Ltd, Citrix Systems Inc, Box Inc.
Google’s Android software is the world’s most popular mobile operating system, but many corporations, which have significant security and device management requirements, give their employees smartphones made by Blackberry or Apple Inc.
New Malware Targeting Apple Devices
Comments Off on New Malware Targeting Apple Devices
Palo Alto Networks Inc has uncovered a new group of malware that can infect Apple Inc’s desktop and mobile operating systems, underscoring the increasing sophistication of attacks on iPhones and Mac computers.
The “WireLurker” malware can install third-party applications on regular, non-jailbroken iOS devices and hop from infected Macs onto iPhones through USB connector-cables, said Ryan Olson, intelligence director for the company’s Unit 42 division.
Palo Alto Networks said on Wednesday it had seen indications that the attackers were Chinese. The malware originated from a Chinese third-party apps store and appeared to have mostly affected users within the country.
The malware spread through infected apps uploaded to the apps store, that were in turn downloaded onto Mac computers. According to the company, more than 400 such infected apps had been downloaded over 350,000 times so far.
It’s unclear what the objective of the attacks was. There is no evidence that the attackers had made off with anything more sensitive than messaging IDs and contacts from users’ address books, Olson added.
But “they could just as easily take your Apple ID or do something else that’s bad news,” he said in an interview.
Apple, which Olson said was notified a couple weeks ago, did not respond to requests for comment.
Once WireLurker gets on an iPhone, it can go on to infect existing apps on the device, somewhat akin to how a traditional virus infects computer software programs. Olson said it was the first time he had seen it in action. “It’s the first time we’ve seen anyone doing it in the wild,” he added.
Will Skype 3RD Party API’s End?
Angry Developers, a breed not unlike Angry Birds but without the desire to fling themselves at naughty pigs, have started a petition asking Microsoft to withdraw its plan to switch off the desktop API for Skype.
The news follows Microsoft’s announcement that support for third party applications will end in December. The change.org petition explains, “The decision to discontinue Skype’s Desktop API impacts our ability to use Skype within my normal Skype calling activities.” It goes on to request that, “Skype/Microsoft provide continued support for third party Skype utilities that have become mission critical to Skype’s users.”
The API runs a range of services, including call recording clients, and in some cases third party hardware including certain headsets. Its discontinuation will most likely see problems for third party instant messaging (IM) services that rely on the API to aggregate IM services, as Skype does not use the Jabber protocol.
Microsoft’s explanation of this was fairly straightforward. It said, “The Desktop API was created in 2004 and it doesn’t support mobile application development. We have, therefore, decided to retire the Desktop API in December 2013.”
However, many developers who receive income from their products using the Skype API are unsatisfied with this.
Although Skype has had a mobile client dating back as far as Windows Mobile 5, it has never had parity with the desktop version and there remains some bewilderment as to why Microsoft has made this decision.
At the time of writing shortly after launch on Friday, the petition had 540 signatures and rising, showing that there is a groundswell of support for the initiative.
Skype Confirms Glitch
July 23, 2012 by admin
Filed under Around The Net
Comments Off on Skype Confirms Glitch
Skype, a division of Microsoft, confirmed on Monday that a bug in its software has led to instant messages being shared with unintended parties.
The company said it will provide an update to fix the problem in “the next few days.”
According to user reports, the unintended recipients have been connected to just one of the two users who exchanging messages. The problem could have harmful consequences. For example, two co-workers using Skype to exchange IMs (instant messages) could, as a result of the problem, share the message with another contact in one user’s address book — potentially a third co-worker being unfavorably described in their IM exchange.
According to Skype, the problem only arises in “rare circumstances.”
The issue first came to light last week in Skype’s user forums. It seems to stem from the update issued by the voice, video and text messaging service in June.
Europe Investigating Google’s Privacy Policy
March 6, 2012 by admin
Filed under Around The Net
Comments Off on Europe Investigating Google’s Privacy Policy
France’s data protection watchdog is questioning the legality and fairness of Google’s new privacy policy, which it said breached European laws.
The CNIL regulator told Google in a letter dated February 27 it would lead a European-wide investigation of the web search giant’s latest policy and would send it questions by mid-March.
Google said in January it was simplifying its privacy policy, consolidating 60 guidelines into a single one that will apply for all its services, including YouTube, Gmail and its social network Google+.
The U.S. Internet company also said it will pool data it collects on individual users across its services, allowing it to better tailor search results and improve service.
Users cannot opt out of the new policy if they want to continue using Google’s services.
“The CNIL and EU data authorities are deeply concerned about the combination of personal data across services: they have strong doubts about the lawfulness and fairness of such processing, and its compliance with European data protection legislation,” the French regulator wrote to Google.
Google plans to put the changes into effect March 1 and has rebuffed two requests from European regulators for a delay.
The tussle over data privacy comes at a delicate time for Google, whose business model is based on giving away free search, email, and other services while making money by selling user-targeted advertising.
It is already being investigated by the EU’s competition authority and the U.S. Federal Trade Commission over how it ranks search results and whether it favors its own products over rival services.
Skype Debuts Video Calls For Android
July 5, 2011 by admin
Filed under Smartphones
Comments Off on Skype Debuts Video Calls For Android
Skype, which is being gobbled up by Microsoft for $8.5 billion, debuted a new service on Thursday allowing users of Android phones to make free video calls to Skype contacts, including those on Apple iPhones.
The company whose name has become synonymous with Internet calling said its updated Android app would initially support video calling on selected HTC and Sony Ericsson Phones, with more devices to follow shortly.
“We are committed to bringing Skype video calling to as many platforms as possible,” Skype’s product and marketing chief Neil Stevens said in a statement.
The move will help makers of phones based on Google’s Android software compete with Apple’s FaceTime video-calling service launched last year for the iPhone and now available on its iPad 2 tablet and Mac computers.
Video calling could also help new Skype owner Microsoft promote its Windows Phone smartphone platform, which it is merging with Nokia’s in an effort to become competitive with Android and Apple.
Google Moves Quickly To Plug Data Leaks
May 24, 2011 by admin
Filed under Smartphones
Comments Off on Google Moves Quickly To Plug Data Leaks
Google confirmed that it’s starting to roll out a server-side patch for a security vulnerability in most Android phones that could allow hackers to access important credentials at public Wi-Fi hotspots.
“Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in Calendar and Contacts,” said a Google spokesman in an emailed statement. “This fix requires no action from users and will roll out globally over the next few days.”
Google will apparently apply the fix to its servers since it does not need to push out an over-the-air update to Android phones.
Experts applauded Google’s fast reaction.
“It’s impressive how quickly Google fixed this,” said Kevin Mahaffey, chief technology officer and a co-founder of San Francisco-based mobile security firm Lookout. “Google’s security team, especially on Android, is very, very quick to deal with issues.”
Whatever Google is implementing will shut the security hole that three German researchers publicized last week.
According to the University of Ulm researchers, who tested another researcher’s contention last February that Android phones sent authentication data in the clear, hackers could easily spoof a Wi-Fi hotspot — in a public setting such as an airport or coffee shop — then snatch information that users’ phones transmitted during synchronization.
In Android 2.3.3 and earlier, the phone’s Calendar and Contacts apps transmit information via unencrypted HTTP, then retrieve an authentication token from Google. Hackers could eavesdrop on the HTTP traffic at a public hotspot, lift authentication tokens and use them for up to two weeks to access users’ Web-based calendars, their contacts and also the Picasa photo storage and sharing service.